b"   DEPARTMENT OF HOMELAND SECURITY\n   `\n\n\n        Office of Inspector General\n\n       Challenges Remain in Securing the Nation\xe2\x80\x99s\n                  Cyber Infrastructure\n\n\n\n\nOIG-07-48                                 June 2007\n                                                    1\n\x0c                                                                       Office of Inspector General\n\n                                                                       U.S. Department of Homeland Security\n                                                                       Washington, DC 20528\n\n\n\n\n                                      June 5, 2007\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of the National Cyber Security Division\xe2\x80\x99s\nimplementation of its mission to coordinate security of the nation\xe2\x80\x99s cyber infrastructure. It is based\non interviews with employees and officials of relevant agencies and institutions, direct observations,\ntechnical scans, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. It is our hope that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                             Richard L. Skinner\n                                             Inspector General\n\x0cTable of Contents/Abbreviations\n\n  Executive Summary ...................................................................................................................1\n\n  Background ................................................................................................................................2\n\n  Results of Audit .........................................................................................................................4\n\n       Progress Made In Securing Cyberspace ..........................................................................4\n\n       Better Management of Strategic Plan Is Needed ............................................................5\n         Establish Priorities to Ensure Critical Tasks Are Completed .........................................5\n         NCSD Needs to Improve the Monitoring of Its Milestones ...........................................6\n         Recommendations ...........................................................................................................7\n         Management Comments and OIG Analysis....................................................................8\n         Better Defined Performance Measures Are Needed .......................................................8\n         Recommendation ..........................................................................................................10\n         Management Comments and OIG Analysis..................................................................10\n         Expanded Incident Reporting Analysis Will Improve Identification and Response\n         to Cyber Incidents .........................................................................................................11\n         Recommendations .........................................................................................................13\n         Management Comments and OIG Analysis..................................................................13\n\n       Improved Information Sharing and Communications Will Enhance Cyber\n       Infrastructure Security....................................................................................................14\n       Recommendations..............................................................................................................17\n       Management Comments and OIG Analysis ......................................................................18\n\n       Revised Certification and Accreditation Will Satisfy FISMA Requirements............19\n       Recommendations..............................................................................................................21\n       Management Comments and OIG Analysis ......................................................................22\n\nAppendices\n  Appendix A:            Purpose, Scope, and Methodology .................................................................24\n  Appendix B:            Management Comments to the Draft Report .................................................26\n  Appendix C:            NCSD Major Functions and Responsibilities ................................................35\n  Appendix D:            Federal Agency Incident Categories ..............................................................37\n  Appendix E:            Major Contributors to this Report ..................................................................38\n  Appendix F:            Report Distribution.........................................................................................39\n\n\n\n\n                                Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\x0cTable of Contents/Abbreviations\n\nAbbreviations\n  CS&C          Cyber Security and Communications\n  CS&T          Cyber Security and Telecommunications\n  DHS           Department of Homeland Security\n  FISMA         Federal Information Security Management Act\n  IT            Information Technology\n  NCSD          National Cyber Security Division\n  NIST          National Institute of Standards and Technology\n  OIG           Office of Inspector General\n  OMB           Office of Management and Budget\n  PART          Program Assessment Rating Tool\n  US-CERT       United States Computer Emergency Readiness Team\n\n\n\n\n                    Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                We audited the National Cyber Security Division to determine whether: (1) it\n                is working collaboratively with the public, private, and international entities to\n                secure cyberspace and cyber assets; (2) it is effectively managing the\n                implementation of The National Strategy to Secure Cyberspace; and\n                (3) security controls were effectively implemented on two mission support\n                systems (Einstein and Cybercop Portal).\n\n                Since our last review in 2004, the National Cyber Security Division has taken\n                actions to further implement The National Strategy to Secure Cyberspace. For\n                example, the division has established a fully operational incident handling\n                center (United States Computer Emergency Readiness Team). The National\n                Cyber Security Division has put into action programs that promote cyber\n                security awareness among the public and private sectors; improve vendor\n                software development and reduce vulnerabilities; develop and promote sound\n                practices and standards that enhance cyber security; promote a global culture\n                of security through international outreach awareness; promote and facilitate the\n                development of adequately trained information technology professionals; and\n                plan, coordinate, and conduct cyber exercises with the public and private\n                sectors to improve cyber security readiness, protection, and incident response\n                capabilities. The National Cyber Security Division has established working\n                groups and participated with public and private sector organizations to share\n                information and protect cyberspace and cyber assets.\n\n                While the National Cyber Security Division has made progress in meeting its\n                mission, it can improve its efforts to secure the nation\xe2\x80\x99s cyber infrastructure.\n                Specifically, the division has not (1) established priorities to ensure that its\n                mission-critical tasks supporting its programs are completed timely;\n                (2) developed enhanced performance measures that can be used to evaluate the\n                effectiveness in meeting its mission; (3) fully developed its information\n                sharing and communications programs with the private sector; (4) developed\n                and implemented enhanced procedures to ensure that all known cyber incidents\n                from across the federal government are being reported; and (5) ensured that its\n                support systems comply with all Federal Information Security Management\n                Act requirements, including testing of contingency plans.\n\n                We are making 14 recommendations to the Assistant Secretary for Cyber\n                Security and Communications (CS&C). CS&C has already begun to take\n                actions to implement 13 of the recommendations. CS&C\xe2\x80\x99s response is\n                summarized and evaluated in the body of this report and included, in its\n                entirety, as Appendix B.\n                Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 1\n\x0cBackground\n                        The Department of Homeland Security (DHS) established the National Cyber\n                        Security Division (NCSD) in June 2003 to serve as a national focal point for\n                        addressing cyber security issues and to coordinate implementation of the\n                        cyber security strategy in the United States. NCSD\xe2\x80\x99s mission is to work\n                        collaboratively with public, private, and international entities to secure\n                        cyberspace and cyber assets, and to implement the actions and\n                        recommendations of The National Strategy to Secure Cyberspace.1\n\n                        In September 2006, the first Assistant Secretary for Cyber Security and\n                        Telecommunications (CS&T) was appointed within the Preparedness\n                        Directorate, which includes NCSD.2 NCSD reports to the Assistant Secretary\n                        and is headed by the Office of the Director and comprises four branches:\n                        United States Computer Emergency Readiness Team (US-CERT) Operations,\n                        Law Enforcement and Intelligence, Outreach and Awareness, and Strategic\n                        Initiatives. In October 2006, a new NCSD Acting Director was named and\n                        who later became the Director in January 2007. As of December 2006, NCSD\n                        had a staff of 107 (31 federal employees, 4 detailees, and 72 contractors). See\n                        Figure 1 for an organization chart and Appendix C for the major functions and\n                        responsibilities of each branch.\n\n                        Figure 1 \xe2\x80\x93 NCSD Organization Chart\n\n\n\n\n1\n The White House issued The National Strategy to Secure Cyberspace in February 2003.\n2\n On March 31, 2007, CS&T was renamed Office of Cyber Security and Communications and the Preparedness\nDirectorate was renamed the National Protection and Programs Directorate.\n\n                          Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                      Page 2\n\x0c                            US-CERT is the operational arm of NCSD and is charged with protecting the\n                            nation's Internet infrastructure by coordinating defense against and response to\n                            cyber attacks. In addition, US-CERT is responsible for analyzing and\n                            reducing cyber threats and vulnerabilities, disseminating cyber trend and\n                            analysis information, and coordinating incident response activities. US-CERT\n                            interacts with federal agencies, the information technology (IT) industry, the\n                            research community, state and local governments, and others to disseminate\n                            reasoned and actionable cyber security information to the public.\n\n                            NCSD has worked collaboratively with the private and public sector partners\n                            to develop the IT Sector-Specific Plan. The final draft of this document was\n                            completed in December 2006. The IT Sector-Specific Plan provides a\n                            foundation for sector planning activities to manage risk and to improve\n                            situational awareness, response, recovery, and reconstitution of the nation\xe2\x80\x99s IT\n                            infrastructure. These improvements, which can be accomplished through the\n                            public and private sectors, will enhance national capabilities. The IT\n                            Sector-Specific Plan identifies near-term (less than 1 year) and long-term\n                            (1 to 3 years) actions that require collaborative efforts between and among the\n                            private sector, state and local governments, non-governmental organizations,\n                            and the federal government.\n\n                            CS&T produced a strategy report, in December 2006, for the DHS Secretary\n                            that provides a comprehensive overview of its organization. The report lists\n                            stakeholders\xe2\x80\x99 expectations, CS&T\xe2\x80\x99s capabilities, current initiatives, gaps\n                            between stakeholder expectations and the organization\xe2\x80\x99s capabilities and\n                            programs, strategic priorities, and actions to support the mission over the next\n                            2 years.\n\n                            In July 2004, we reported that NCSD had begun to implement the actions and\n                            recommendations detailed in The National Strategy to Secure Cyberspace.3\n                            We noted that NCSD faced a number of challenges to address long-term cyber\n                            threats and vulnerabilities to the nation\xe2\x80\x99s critical infrastructure. Specifically,\n                            we found that NCSD had not:\n                                \xe2\x80\xa2   Prioritized its initiatives to address the recommendations in The\n                                    National Strategy to Secure Cyberspace.\n                                \xe2\x80\xa2   Identified the resources needed to ensure that it could identify,\n                                    analyze, and reduce long-term cyber threats and vulnerabilities.\n                                \xe2\x80\xa2   Developed strategic implementation plans, including performance\n                                    measures and milestones, focusing on the division\xe2\x80\x99s priorities,\n                                    initiatives, and tasks.\n\n\n3\n    Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace (OIG-04-29, July 2004).\n\n                              Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                          Page 3\n\x0c                     \xe2\x80\xa2   Instituted a formal communications process within DHS, as well as the\n                         public, private, and international sectors.\n                     \xe2\x80\xa2   Initiated and implemented a process to oversee and coordinate efforts\n                         to develop best practices and create cyber security policies with other\n                         government agencies and the private sector.\n\n               NCSD has taken corrective actions to develop strategic implementation plans,\n               institute a formal communications process, and oversee and coordinate efforts\n               to develop best practices and security policies. However, other\n               recommendations remain open and are addressed in this report.\n\n\nResults of Audit\n     Progress Made In Securing Cyberspace\n\n               NCSD has made progress in its cyberspace security efforts. Specifically,\n               NCSD established a fully operational, incident-handling center (US-CERT) to\n               facilitate information sharing across all infrastructure sectors and to help\n               protect and maintain the continuity of the nation\xe2\x80\x99s cyber infrastructure. In\n               addition, NCSD has established working groups and participated with public\n               and private sector organizations to share information and protect cyberspace\n               and cyber assets.\n\n               NCSD also has put into action programs to address the recommendations in\n               The National Strategy to Secure Cyberspace. For example:\n                     \xe2\x80\xa2   The Outreach and Awareness program was established to promote\n                         cyber security awareness among and within the public and private\n                         sectors, maintain relationships with governmental cyber security\n                         professionals to coordinate and share information about cyber security\n                         initiatives, and develop partnerships to promote coordination and\n                         collaboration on cyber security activities.\n                     \xe2\x80\xa2   The Software Assurance program seeks to reduce software\n                         vulnerabilities, minimize exploitation, and address ways to improve\n                         capabilities to develop and deploy trustworthy software products.\n                     \xe2\x80\xa2   The Standards and Best Practices program promotes and sponsors the\n                         development of standards, guidance documents, metrics, and tools that\n                         raise awareness and encourage the implementation of cyber security\n                         practices and processes.\n                     \xe2\x80\xa2   The International Affairs program was established for NCSD to\n                         engage in international outreach activities to build awareness about the\n                         global cyber risk, share information about the role and activities of\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                               Page 4\n\x0c                  computer security incident response teams, and build relationships\n                  among governments toward global cooperation on cyber security.\n              \xe2\x80\xa2   The Training and Education program promotes and facilitates the\n                  development of adequately trained information technology\n                  professionals to support the Nation\xe2\x80\x99s cyber security needs via effective\n                  training, education, and certification programs.\n              \xe2\x80\xa2   The Cyber Exercise program plans, coordinates, and conducts cyber\n                  exercises with the public and private sectors as a mechanism for\n                  NCSD to improve cyber security readiness, protection, and incident\n                  response capabilities.\n\n           The implementation of these programs helps NCSD fulfill its mission to\n           partner with the public and private sectors to prevent, minimize, prepare for,\n           and respond to threats to critical IT infrastructure. However, as discussed in\n           the following sections, improvements are needed in NCSD\xe2\x80\x99s efforts to\n           implement The National Strategy to Secure Cyberspace.\n\nBetter Management of Strategic Plan Is Needed\n           NCSD has not effectively managed its strategic plan to ensure that critical\n           tasks are completed timely. Specifically, NCSD has not prioritized key\n           activities for the division or established effective performance measures to\n           monitor the division\xe2\x80\x99s progress in accomplishing its mission and goals. In\n           addition, NCSD needs to improve its incident reporting analysis in order to\n           identify and reduce underreporting by federal agencies. Until NCSD\n           implements its critical strategic initiatives, including the reporting of all cyber\n           incidents and monitoring its progress with effective performance measures,\n           the division cannot ensure that it can partner successfully with the public and\n           private sector to prevent, minimize, prepare for, and respond to threats to\n           critical IT infrastructure.\n\n           Establish Priorities to Ensure Critical Tasks Are Completed\n\n           NCSD has undertaken steps to address the recommendations proposed in The\n           National Strategy to Secure Cyberspace. However, in addressing the\n           recommendations, NCSD has not prioritized specific initiatives, taking into\n           consideration the required resources to ensure the timely completion of its\n           initiatives. As a result, many of NCSD\xe2\x80\x99s initiatives are not complete and the\n           progress to date has been limited.\n\n           While NCSD has begun many initiatives to address the recommendations\n           proposed in The National Strategy to Secure Cyberspace, many of its efforts\n           lacked specific timeframes for completion. NCSD personnel said that each of\n\n            Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                        Page 5\n\x0cthe actions outlined in the division\xe2\x80\x99s draft Strategic Plan, dated May 2006, and\nall of the program plans developed by its branches that support it, are a\n\xe2\x80\x9cpriority.\xe2\x80\x9d We determined that these actions had not been prioritized based on\nNCSD management goals or available resources.\n\nCertain critical programs that were established to implement recommendations\nfrom The National Strategy to Secure Cyberspace will not be completed for\nanother 2 or more years. For example, the Control Systems Security Program,\nthe goal of which is to guide a cohesive effort between government and industry\nand reduce the risk to critical infrastructure control systems, is not expected to\ncomplete its roll out until FY 2009. Additionally, the computer forensics\nlaboratory, that will train government security personnel to become\nspecialized in multiple forensic areas, is not expected to be fully operational\nuntil FY 2009, but will begin initial training in the fall of 2007.\n\nIn addition, some members of the National Cyber Response Coordination\nGroup, the IT-Information Sharing and Analysis Center, and the IT-Sector\nCoordinating Council expressed their concerns that NCSD has too many\npriorities for the available resources provided to the division. Some group\nmembers also expressed concerns that NCSD was not working on initiatives\nthat are currently needed. For example, members cited the need for smaller\ncyber exercises in addition to the larger scaled one previously held or the\ncreation of operational recovery plans in the event of a major cyber incident.\nGroup members believed that these concerns became more critical with the\nissuance in December 2006 of the IT-Sector Specific Plan. This plan listed\nover 70 short and long-term actions, many needing NCSD assistance, which\nneed to be completed within the next 3 years. In addition, the CS&T Strategy\nreport, issued in December 2006, identified strategic priorities and actions that\nare to be accomplished within the next 2 years. Taken in total, the number of\nexisting and new actions required of NCSD is significant and could\noverextend the capabilities of the division if not prioritized and properly\nresourced.\n\nNCSD Needs to Improve the Monitoring of Its Milestones\n\nNCSD\xe2\x80\x99s monitoring of its program initiatives needs improvement. NCSD has\nnot established a process to monitor and manage effectively the division\xe2\x80\x99s\ncurrent milestones and deliverables. As a result, it is difficult for management\nto monitor efforts of the division in completing its initiatives and determining\nwhether they are on schedule, ahead of schedule, or behind schedule.\n\nNCSD has not consolidated tracking all of the division\xe2\x80\x99s milestones and\ndeliverables. NCSD produced a draft Strategic Plan in May 2006, which\ndetails its actions and milestones to accomplish the division\xe2\x80\x99s goals. To\n\n Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                             Page 6\n\x0c    support the Strategic Plan, NCSD staff developed ten program plans that\n    include milestones for major deliverables and actions. Program plans list the\n    overview of the program, goals, milestones, performance measures, resources,\n    and challenges. In addition, NCSD management uses quarterly Program\n    Assessment Rating Tool (PART) reports to track milestones that have been\n    completed during the quarter. PART is a diagnostic tool that the Office of\n    Management and Budget (OMB) uses to assess the performance of programs\n    and to drive improvement in program performance. OMB defines three\n    categories of performance measures: (1) outcome-the intended result of\n    carrying out a program or activity (value added), (2) output-the level of\n    activity that will be provided over a period of time, and (3) efficiency-the ratio\n    of the outcome or output to the input of any program. The PART report only\n    identifies tasks or milestones that have been met. It does not identify or\n    explain delays.\n\n    The Strategic Plan and the individual program plans do not associate resource\n    requirements to the achievement of deliverables and milestones. In addition,\n    four of the ten program plans reviewed did not contain information as to\n    interim milestones. For example, some milestones were listed as \xe2\x80\x9congoing,\xe2\x80\x9d\n    \xe2\x80\x9cFY 2007,\xe2\x80\x9d \xe2\x80\x9cFY06-FY10,\xe2\x80\x9d or \xe2\x80\x9cFY06-FY10 Planned.\xe2\x80\x9d These types of\n    milestones do not allow NCSD management to monitor effectively the\n    incremental progress of its initiatives and evaluate whether the program goals\n    have been achieved. Interim milestone dates are often needed to manage\n    incremental progress for activities that can take years to complete in their\n    entirety. We also found instances where some milestones were reported in the\n    program plans as complete, but were not reported on the PART report.\n\n    The sophistication and effectiveness of cyber attacks have steadily advanced\n    in recent years. Therefore, to improve its ability to address these threats, it is\n    imperative that NCSD prioritize its initiatives based upon available resources\n    and criticality as determined by management. Without establishing priorities,\n    NCSD cannot ensure that critical initiatives and milestones are accomplished\n    on schedule and in a timely manner. Improving the monitoring of its\n    milestones will allow NCSD the ability to better guide and track the division\xe2\x80\x99s\n    activities in implementing the recommendations outlined in The National\n    Strategy to Secure Cyberspace.\n\nRecommendations\n    We recommend that the Assistant Secretary for CS&C direct the NCSD\n    Director to:\n\n    Recommendation #1: Establish priorities and milestones (short term and long\n    term) for critical tasks using input from the CS&T Strategy Summary report,\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                  Page 7\n\x0c     IT-Sector Specific Plan, and The National Strategy to Secure Cyberspace.\n     Milestones should be based on available funding and resources.\n\n     Recommendation #2: Consolidate the tracking of all current and future\n     initiatives and milestones, and review at least quarterly.\n\nManagement Comments and OIG Analysis\n     CS&C concurred with recommendation 1. CS&C plans to address its\n     strategic priorities through short and long term actions over the course of the\n     next 2 years and beyond. NCSD\xe2\x80\x99s implementation plan and detailed program\n     plans, which are mapped to CS&C\xe2\x80\x99s priorities, contain its goals and priorities.\n     To improve performance management within its new organizational structure,\n     CS&C is in the process of defining additional performance measures and\n     milestones that tie into NCSD\xe2\x80\x99s mission, priorities, processes, and available\n     resources. In addition, CS&C has scheduled its first quarterly review to\n     evaluate NCSD\xe2\x80\x99s progress in terms of priorities developed by the Assistant\n     Secretary for CS&C, current funding, and anticipated funding for\n     Fiscal Year 2008.\n\n     We agree that the steps that CS&C has taken, and plans to take, satisfy this\n     recommendation.\n\n     CS&C did not concur with the finding that resulted in recommendation 2. In\n     disagreeing with the finding that NCSD needs to improve the monitoring of its\n     milestones, CS&C indicated that NCSD monitors its milestones and\n     performance based upon its strategic plan and updates its program plans each\n     quarter. In addressing our recommendation, NCSD is revising its strategic\n     plan with a comprehensive implementation plan and updated program plans to\n     track actions, milestones, and resources. NCSD will report quarterly to CS&C\n     on accomplishments and deliverables mapped to programmatic actions,\n     milestones and resource allocations, identifying anticipated potential shortfalls\n     and remedial actions.\n\n     We believe that the steps that NCSD has taken, and plans to take, satisfy this\n     recommendation to consolidate the tracking of all current and future initiatives\n     and milestones and review them quarterly.\n\n     Better Defined Performance Measures Are Needed\n\n     NCSD has not developed effective performance measures needed to monitor\n     the division\xe2\x80\x99s success in accomplishing its mission and goals. Without such\n     measures, NCSD will have difficulty in determining how effective its\n\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                  Page 8\n\x0cinitiatives are in achieving significant results in strengthening the nation\xe2\x80\x99s\ncyber security.\n\nPerformance measures are the indicators or metrics that are used to gauge\nprogram performance. Furthermore, performance measures should address\nthe direct products and services delivered by a program (outputs), and the\nresults of those products and services (outcomes). Outcomes are important, as\nthey often describe the intended result or consequence that will occur from\ncarrying out a program or activity. For example, an outcome goal might be to\nreduce the time it takes to disseminate cyber threat warning by FY 2008.\nTherefore, outcomes are of direct importance to beneficiaries and the public.\nWhile performance measures must distinguish between outcomes and outputs,\nthere must be a reasonable connection between them, with outputs supporting\n(i.e., leading to) outcomes in a logical fashion.\n\nNCSD has developed performance measures based on OMB\xe2\x80\x99s PART metrics:\noutput, outcome, and efficiency. NCSD branches report to OMB the status of\ntheir metrics on a quarterly basis. To monitor branch progress, NCSD\nidentified three performance measures:\n   \xe2\x80\xa2   Number of cyber security products delivered to key stakeholders\n       (output).\n   \xe2\x80\xa2   Percent of targeted stakeholders who participate in or obtain cyber\n       security products and services (outcome).\n   \xe2\x80\xa2   Percent of completion of key milestones and accomplishments\n       (efficiency).\n\nWe determined that NCSD has not developed sufficient outcome performance\nmeasures to ensure that its programs are achieving the intended results and\nimpact, i.e., secure cyberspace and reduce security vulnerabilities. For\ninstance, NCSD developed performance measures that emphasize \xe2\x80\x9cquantity\xe2\x80\x9d\n(number of newsletters issued, number of people attending conferences or\nworkshops), but has not developed measures to evaluate the \xe2\x80\x9cquality\xe2\x80\x9d of its\nproducts and services. For example, outcomes that measure the effect\nnewsletters or conferences have on the cyber community, the number of\nvulnerabilities reduced, or the usefulness of the information or service to the\npublic have not been established.\n\nIn addition, since one of NCSD\xe2\x80\x99s performance measures is the percent of\ncompletion of key milestones, it is important that target completion dates be\nestablished for all milestones and deliverables in order to monitor the\nperformance and progress of the branches. For example, some of the\nmilestones in the individual program plans were listed as \xe2\x80\x9congoing\xe2\x80\x9d or\n\xe2\x80\x9cFY06-FY10.\xe2\x80\x9d Additionally, one of the goals of the Outreach and Awareness\n\n Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                             Page 9\n\x0c     branch is to maintain relationships with governmental cyber security\n     professionals in order to share information about cyber security initiatives,\n     and develop partnerships to promote collaboration on cyber security\n     preparedness issues. Performance measures and milestones that would\n     evaluate its success have not been developed.\n\n     According to OMB guidance, performance measures are developed to monitor\n     a program\xe2\x80\x99s accomplishments and determine whether results are being\n     achieved. Establishing performance measures also keeps program partners\n     focused on the key goals of a particular initiative. Performance measures\n     must reflect a program\xe2\x80\x99s mission and priorities, be few in number, and should\n     reflect direct outcomes. In some cases where the outcome of a program may\n     not be realized for many years, a program should define specific short- and\n     medium-term steps or milestones to accomplish the long-term outcome\n     performance goals. Appropriate performance goals should include\n     performance measures and targets, outcomes, and annual and long-term\n     measures and targets.\n\nRecommendation\n     We recommend that the Assistant Secretary for CS&C direct the NCSD\n     Director to:\n\n     Recommendation #3: Develop additional performance measures for each\n     branch that can be used to review and periodically evaluate the outcome or\n     success of the division\xe2\x80\x99s programs.\n\nManagement Comments and OIG Analysis\n     CS&C did not concur with the finding that resulted in recommendation 3. In\n     disagreeing with the finding that better defined performance measures are\n     needed, CS&C indicated that NCSD developed and began collecting internal\n     program level measures to improve the ability to assess overall programmatic\n     progress in the third quarter of Fiscal Year 2006. In addressing our\n     recommendation, NCSD recently developed revised PART measures to cover\n     all of its programs. NCSD is regularly evaluating its metrics and strives to\n     improve them.\n\n     We believe that the steps that NCSD has taken, and plans to take, satisfy this\n     recommendation to develop additional performance measures.\n\n\n\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                 Page 10\n\x0c                          Expanded Incident Reporting Analysis Will Improve Identification and\n                          Response to Cyber Incidents\n\n                          US-CERT is not performing detailed analysis to ensure that all incidents are\n                          being received from all federal agencies.4 Less than complete reporting\n                          hampers the government\xe2\x80\x99s ability to know whether an incident is isolated at\n                          one agency or is part of a larger event (widespread propagation of an Internet\n                          worm) and thus complicates and delays appropriate response, such as\n                          distributing security patches or other compensating controls.\n\n                          Security incidents are reported to US-CERT either through OMB-mandated\n                          incident reports from federal agencies or incident reports submitted\n                          voluntarily by state, local, and tribal governments, as well as private sector\n                          organizations. In addition, US-CERT monitors real-time network traffic from\n                          selected Internet access points to detect suspicious activities for those federal\n                          agencies that are participating in the Einstein program. The Einstein program\n                          is an initiative that builds cyber-related situational awareness across the\n                          participating federal agencies. Specifically, the Einstein program employs an\n                          automated tool to monitor government agencies\xe2\x80\x99 network traffic to facilitate\n                          the identification and response to cyber threats and attacks, improve network\n                          security, increase the resiliency of critical electronically delivered government\n                          services, and enhance the survivability of the Internet. The Einstein program\n                          helps agencies identify baseline network traffic patterns, configuration\n                          problems, unauthorized network traffic, network backdoors, routing\n                          anomalies, and network scanning activities.\n\n                          Federal agencies are required to follow US-CERT\xe2\x80\x99s Concept of Operations for\n                          Federal Cyber Security Incident Handling when analyzing and reporting\n                          security incidents. US-CERT leveraged National Institute of Standards and\n                          Technology (NIST) guidance to identify incident and event categories and\n                          reporting timeframes for federal civilian agencies when submitting security\n                          incidents to US-CERT (see Appendix D).\n\n                          In OMB\xe2\x80\x99s 2004 and 2005 reports to Congress, the accuracy, timeliness, and\n                          completeness of incident reporting was identified as a concern.5 In addition,\n                          OMB cited that the number of incidents reported indicated sporadic reporting\n                          by some agencies and unusually low levels of reported malicious activity at\n                          other agencies.\n\n4\n  An incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or\nstandard computer security practices. Examples of the incidents are (1) denial of service attacks, (2) malicious codes,\n(3) unauthorized access, and (4) improper usage.\n5\n  Federal Information Security Management Act (FISMA) 2004 Report to Congress, dated March 1, 2005, and FY 2005\nReport to Congress on Implementation of The Federal Information Security Management Act of 2002, dated\nMarch 1, 2006.\n\n                            Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                        Page 11\n\x0c                            Security incidents reported by federal agencies are analyzed for emerging\n                            threats and ranked by severity. US-CERT does not determine whether all\n                            security incidents and events are being reported by all federal agencies.\n                            Furthermore, US-CERT has not developed a process to use potential cyber\n                            incidents identified by Einstein along with other analyses to identify possible\n                            incident underreporting.\n\n                            We obtained a summary report prepared by US-CERT for the period of\n                            October 1, 2004, to September 30, 2006. The number of incidents reported to\n                            US-CERT by federal agencies has increased each of the last 2 years\n                            (FY 2005: 3,631; FY 2006: 5,237). See Figure 2 below for the number of\n                            incidents and events reported during this period.\n\n                            Figure 2-Total Incidents and Events by Month\n\n\n\n\n                            There is a wide variation in the number of incidents and events reported to\n                            US-CERT by federal agencies of comparable size. For example, over the\n                            2-year period, one agency with more than 56,000 employees reported 726\n                            incidents, whereas another comparable agency with more than 67,000\n                            employees reported only 17 incidents. In an effort to address this problem,\n                            OMB reported to Congress in FY 2005 that DHS had begun deploying\n                            Einstein\xe2\x80\x99s automated tool to monitor network traffic at three agencies and had\n                            funding to install it at an additional six agencies.6 OMB further reported that\n                            the use of this and similar tools should considerably improve the\n                            government\xe2\x80\x99s ability to identify and respond to potential incidents in a timely\n                            manner. While DHS is the lead federal agency in securing the nation\xe2\x80\x99s\n                            cyberspace, it is not one of the federal agencies using Einstein department-\n                            wide to monitor its network traffic.\n\n6\n    As of December 2006, eight agencies were participating in the Einstein program.\n\n                              Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                          Page 12\n\x0c     As a service to federal agencies, US-CERT summarizes all security incidents\n     and events, and issues a high-level snapshot report (quarterly and annually) to\n     the White House and federal agencies. According to US-CERT personnel,\n     these reports can be used by agencies to compare their individual security\n     incidents and events with those reported by other agencies.\n\n     NCSD management said that while the Federal Information Security\n     Management Act (FISMA) requires federal agencies to report all incidents to\n     US-CERT, NCSD has not been given the authority to enforce individual\n     agency reporting. To rectify sporadic incident reporting by federal agencies,\n     NCSD staff have discussed the issue with OMB. NCSD has also met with the\n     Chief Information Officers Council to make them aware of the need and\n     benefits of reporting all incidents to US-CERT and have performed outreach\n     to agencies that are reporting few if any incidents. NCSD management said\n     that the annual FISMA reviews performed by the agency Inspectors General\n     are used to identify and report instances of underreporting.\n\n     An effective incident response capability is critical to a government-wide\n     security program as well as individual agency programs. In order for\n     US-CERT to successfully perform its duties, it must have an accurate\n     depiction of incidents across all agency bureaus and operating divisions.\n     Additionally, incident reports can provide Chief Information Officers and\n     other agency senior managers with valuable input for risk assessments, help\n     prioritize security improvements, and illustrate risk and related trends.\n\nRecommendations\n     We recommend that the Assistant Secretary for CS&C direct the NCSD\n     Director to:\n\n     Recommendation #4: Develop and implement procedures to review and\n     analyze agencies\xe2\x80\x99 incidents submissions to identify underreporting of\n     incidents by federal agencies.\n\n     Recommendation #5: Work with OMB and federal agencies to eliminate\n     underreporting of cyber security incidents to US-CERT and complete the\n     deployment of Einstein to all federal agencies.\n\nManagement Comments and OIG Analysis\n     CS&C did not concur with recommendation 4. While NCSD continues to\n     work collaboratively with OMB and federal agencies to encourage more\n     robust reporting, compliance with FISMA regulations and underreporting\n     issues fall outside the scope and authority of US-CERT.\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                 Page 13\n\x0c          While we agree that OMB is responsible for directing federal agencies to\n          report all cyber incidents to US-CERT under FISMA guidance, we believe\n          that NCSD, as the lead in securing cyberspace for the federal government,\n          should develop and implement procedures to identify underreporting of\n          incidents. The identification of underreporting would be based on analysis\n          and situational monitoring currently being performed by US-CERT. The\n          procedures we are recommending could be used in conjunction with\n          recommendation 5 (eliminating underreporting of cyber security incidents),\n          which CS&C agreed to implement.\n\n          CS&C concurred with recommendation 5. NCSD continues to work\n          collaboratively with OMB and federal agencies to encourage more robust\n          reporting but does not have the authority to mandate reporting. NCSD is\n          working to expand the Einstein program to additional federal agencies. The\n          program is planning an aggressive rollout of additional Einstein installations\n          by the end of Fiscal Year 2008.\n\n          We agree that the steps that CS&C has taken, and plans to take, satisfy this\n          recommendation.\n\n     Recommendation\n          We recommend that the DHS Chief Information Officer:\n\n          Recommendation #6: Participate in the Einstein program in order to detect\n          and identify potential security incidents.\n\n     Management Comments and OIG Analysis\n          CS&C concurred with recommendation 6. NCSD is working closely with the\n          Office of the Chief Information Officer to deploy Einstein across the\n          department. A memorandum of agreement has been drafted between the\n          parties and they will continue to collaborate.\n\n          We agree that the steps that management has taken, and plans to take, satisfy\n          this recommendation.\n\nImproved Information Sharing and Communications Will Enhance Cyber\nInfrastructure Security\n          NCSD needs to improve its information sharing and communications\n          programs with its private sector partners. Some private sector partners\n          expressed concern over the focus and clarity of NCSD\xe2\x80\x99s communications.\n           Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                      Page 14\n\x0cConcern was also expressed with the sharing of classified information with\nthe private sector. Without the public and private sectors working together in\nidentifying and sharing critical cyber information, there is little assurance that\nall critical data is made available to key personnel in order to prevent or\nrecover from a major cyber incident.\n\nCommunications with Private Sector\n\nNCSD interacts with the IT sector (comprised of the producers and providers\nof hardware, software, and IT services) through working groups and incident\nresponse organizations. NCSD also collaborates with groups from the public\nand private sectors to facilitate the collection and sharing of computer security\ninformation and incidents.\n\nWhile members of the groups interviewed said that there have been\nimprovements at NCSD in the past year, including the sharing of threats and\nvulnerabilities and better interaction with NCSD staff, many in the private\nsector remain resistant to sharing information with the federal government.\nGroup members expressed concern with the number of NCSD\xe2\x80\x99s ongoing\npriorities (noted in our previous finding), communications with the private\nsector, and the sharing of information.\n\nNCSD helped to create the National Cyber Response Coordination Group, the\nprincipal interagency forum to coordinate intra-governmental and\npublic/private preparedness efforts to respond to and recover from large-scale\ncyber attacks. NCSD established the Government Forum of Incident\nResponse and Security Teams, a group of technical and tactical practitioners\nof security response teams responsible for securing government information\ntechnology systems. NCSD also interacts with the IT-Sector Coordinating\nCouncil and the IT-Information Sharing and Analysis Center. The\nIT-Information Sharing and Analysis Center is recognized by DHS as the\ninformation sharing organization for private industry within the IT sector.\n\nSome of the IT information sharing organization members expressed concern\nthat NCSD is not focusing its communications program toward the right\npeople. While there has been an extensive amount of outreach and\ncommunications with the public and private sector cyber stakeholders, some\nmembers believe that there is a lack of communications by NCSD with senior\nexecutives at key IT sector companies. The members believe that NCSD\nsenior management should meet with the executives individually to convince\nthem of the value of cyber security improvements and collaboration with the\nfederal government.\n\n\n\n\n Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                            Page 15\n\x0cMembers in the private sector also had concerns when receiving information\nrequests from NCSD. At times, it was unclear what specific information DHS\nwanted, why the information was needed, what NCSD would do with it, and\nhow the information would be protected. Per group members, there remains a\nhesitancy to share information by the private sector due to a lack of trust of\nthe government.\n\nCommunications with the private sector is a challenge for NCSD. NCSD\xe2\x80\x99s\nmessage to the private sector concerning the need for stronger cyber security\nand information sharing must be communicated to many people at different\nlevels within organizations who are responsible for securing their own portion\nof cyberspace. Without the support of senior management in the private\nsector, there is little assurance that employees at these companies will\nimplement the security improvements needed to secure their cyber assets.\nFurther, without a clear understanding by the private sector of how\ninformation is used and secured, there is little assurance that NCSD will\nobtain the necessary information needed to protect the cyber infrastructure.\n\nSharing of Classified and Sensitive Information\n\nSome private sector partners also expressed concern over sharing of classified\ninformation. Specifically, incident and vulnerability information that the\nprivate sector believes that they need to secure their own cyber assets is\ndeemed classified, and thus prevents the sharing of critical information. In\naddition, some members of the private sector said that they are not provided\nwith clear guidance on how sensitive (For Official Use Only [FOUO]) or\nclassified information that they do receive can be shared with other people\nwithin their organizations.\n\nUS-CERT personnel said that classified information is received from many\nsources including the intelligence community, Department of Defense, and\nlaw enforcement agencies. US-CERT personnel will send an\nunclassified/FOUO version only to those organizations or individuals that\nthey believe need the information.\n\nThe originating organization of classified information is responsible for\ndetermining the classification of the documents being sent to US-CERT. Per\nUS-CERT personnel, the originator is to include an unclassified portion or\nversion so that the critical information can be distributed to the appropriate\norganizations. At times, US-CERT personnel must request the unclassified\nversion from the originator if it was not sent originally. In addition,\nUS-CERT must ask the originator of the information for their approval before\nsending the information out to the recipients.\n\n\n Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                            Page 16\n\x0c    According to NCSD, US-CERT\xe2\x80\x99s capability to disseminate unclassified\n    information to its public and private sector constituents continues to evolve as\n    NCSD works more closely with the originating organizations to improve the\n    process. In many cases, the originator of the classified information will not\n    allow NCSD to share unclassified versions of the information with the private\n    sector. The marking of unclassified documents as FOUO limits NCSD\xe2\x80\x99s\n    ability to share information with the private sector.\n\n    In an attempt to keep the private sector informed on cyber matters, NCSD\n    staff has held meetings with several Information Sharing and Analysis\n    Centers, participated in daily IT-Information Sharing and Analysis Center\n    Operations Center conference calls, and are available for individual inquiries\n    concerning the sharing of classified or sensitive information. NCSD has also\n    discussed classified information with cleared private sector individuals.\n\n    Homeland Security Presidential Directive 7 requires DHS and federal\n    agencies to collaborate with the private sector to facilitate sharing of\n    information about physical and cyber threats, vulnerabilities, incidents,\n    potential protective measures, and best practices. The National Strategy to\n    Secure Cyberspace also calls for the removal of impediments to information\n    sharing between the public and private sectors.\n\n    It is essential that people and organizations receive and are able to share\n    critical information in order to take the appropriate steps to reduce the effects\n    of a cyber incident. In its December 2006 Strategy report, CS&T\n    acknowledged that information sharing, including the sharing of classified\n    information, is a gap between stakeholder expectations and DHS\xe2\x80\x99 capabilities\n    and programs.\n\nRecommendations\n    We recommend that the Assistant Secretary for CS&C direct the NCSD\n    Director to:\n\n    Recommendation #7: Develop clearer communications with key personnel\n    and organizations in the private sector to explain the processes being used to\n    capture, share, use, and secure cyber information.\n\n    Recommendation #8: Expand its communications program with a focus on\n    key private sector executives to encourage corporations to more actively\n    participate in the information sharing program and to better secure its systems.\n\n    Recommendation #9: Develop and implement formal procedures for\n    receiving, reviewing, and distributing sensitive and classified information.\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                 Page 17\n\x0c     The procedures should include the types of information that can be shared,\n     and the timing of receiving an unclassified (or reduced level) and redacted\n     version or portion of the information that can be shared with cyber partners in\n     the private sector. These procedures should be reviewed and agreed to by all\n     organizations providing sensitive and classified information.\n\nManagement Comments and OIG Analysis\n     CS&C concurred with recommendation 7. NCSD will continue to build and\n     maintain strong working relationships with the IT sector. In October 2006,\n     US-CERT, in collaboration with the IT-Information Sharing and Analysis\n     Center, developed a draft Concept of Operations for private industry cyber\n     security incident handling that addresses information sharing, communication,\n     and coordination with the private sector, including how the public and private\n     sectors will work together and how information will be shared. In addition,\n     the NCSD Internet Disruption Working Group completed a draft of the\n     information sharing assessment in January 2007 and findings will be briefed\n     to the Internet community at the next Internet Disruption Working Group\n     forum. CS&C will continue to enhance analysis and information aggregation\n     functions to provide timely and actionable dissemination of information.\n\n     We agree that the steps that CS&C has taken, and plans to take, satisfy this\n     recommendation.\n\n     CS&C concurred with recommendation 8. CS&C agreed that more can and\n     should be done to expand communications to key private sector stakeholders.\n     The Assistant Secretary for CS&C created a permanent External Affairs\n     position within the CS&C front office working closely with NCSD to engage\n     with private sector executives in a variety of forums. Recent activities include\n     meetings with key private sector representatives and major industry groups.\n\n     We agree that the steps that CS&C has taken, and plans to take, satisfy this\n     recommendation.\n\n     CS&C concurred with recommendation 9. CS&C agreed that more should be\n     done to improve information sharing with public and private sector\n     organizations. US-CERT is working with its intelligence community partners\n     to develop procedures for sharing of information between organizations. In\n     addition, NCSD and its partners have shared classified information with\n     cleared private sector stakeholders and continue to make every effort to\n     develop unclassified versions of key documents to ensure broad dissemination\n     of actionable information.\n\n\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                 Page 18\n\x0c                           We agree that the steps that CS&C has taken, and plans to take, begin to\n                           satisfy this recommendation.\n\n         Revised Certification and Accreditation Will Satisfy FISMA Requirements\n                           NCSD\xe2\x80\x99s certification and accreditation documentation requires updating in\n                           order to satisfy FISMA requirements. We noted deficiencies with the security\n                           artifacts7 contained in the accreditation packages for two NCSD systems,\n                           Einstein and Cybercop Portal, which were authorized to operate in FY 2006.8\n                           Lacking key information, agency officials cannot make credible risk-based\n                           decisions on whether to authorize systems to operate or ensure that systems\n                           are adequately secure. Both systems were authorized to operate for 1 year;\n                           therefore they are scheduled to be recertified and accredited in 2007.\n\n                           NCSD has implemented adequate security controls over the systems reviewed.\n                           However, some security documents were missing key information that is\n                           required to meet applicable OMB, NIST, and DHS guidelines.9\n\n                           Einstein Documentation\n\n                           NCSD uses data captured from its Einstein system sensors to analyze\n                           suspicious network traffic from across the federal government network\n                           infrastructure. A number of improvements are needed in the system\n                           documentation. Specifically:\n                               \xe2\x80\xa2    The system security plan does not identify each of the systems that are\n                                    connected to Einstein or contain an accurate description of the\n                                    hardware installed. Agency officials require this detailed information\n                                    in order to make credible, risk-based decisions on whether adequate\n                                    controls have been implemented and to determine whether to authorize\n                                    the system to operate.\n\n\n\n7\n  DHS requires 11 artifacts be developed during the certification and accreditation process. The 11 artifacts are:\nAuthority To Operate letter, system security plan, risk assessment, security test and evaluation, security assessment\nreport, contingency plan, contingency plan test results, e-authentication determination, Federal Information Processing\nStandards Publication 199 determination, privacy threshold analysis, and annual self assessment.\n8\n  The Cybercop Portal is a secure Internet-based information sharing mechanism for more than 8,700 law enforcement\nmembers involved in the field of electronic crimes investigations. The law enforcement community, including\ninvestigators from private industry, e.g., banks and the network security community, is tied together and supported by\nthis secure, Internet-based, collaboration portal. Members represent all 50 states, effectively all government agencies,\nand more than 40 countries.\n9\n  According to OMB policy, certification and accreditation requires documentation of security planning, including risk\nassessments, contingency plans, incident response plans, security awareness and training plans, information systems\nrules of behavior, configuration management plans, security configuration checklists, privacy impact assessments, and\nsystem interconnection agreements.\n\n                             Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                         Page 19\n\x0c   \xe2\x80\xa2   Einstein\xe2\x80\x99s contingency plan does not address backup and recovery\n       procedures necessary to restore operations in the event of an\n       emergency or system failure.\n   \xe2\x80\xa2   NCSD has not tested the contingency plan to ensure that business and\n       computer operations can be maintained or restored, possibly at an\n       alternate location, in the event of an emergency, system failure, or\n       disaster.\n   \xe2\x80\xa2   The risk assessment does not evaluate the likelihood of vulnerabilities\n       identified that may be exploited or the potential impact and magnitude\n       of harm to the system by exploiting the vulnerabilities identified.\n   \xe2\x80\xa2   Physical controls implemented at the contractor's location were not\n       evaluated when completing the NIST 800-26 self-assessment to ensure\n       that physical access to computer resources is restricted to authorized\n       personnel.\n\nCybercop Portal Documentation\n\nNCSD supports the Cybercop Portal, which is used by law enforcement\nentities at all levels of government to communicate and share information. A\nnumber of improvements are needed in the system\xe2\x80\x99s security documentation.\nSpecifically:\n   \xe2\x80\xa2   The risk assessment does not stipulate the use of security testing to\n       identify vulnerabilities or analyze the effectiveness of controls\n       implemented.\n   \xe2\x80\xa2   The system test and evaluation plan does not include procedures to\n       assess the effectiveness of controls implemented.\n   \xe2\x80\xa2   NCSD has not performed annual security testing to evaluate the\n       system controls implemented.\n   \xe2\x80\xa2   The contingency plan has not been tested to determine whether\n       specific aspects of the plan such as the data backup and recovery\n       procedures remain valid.\n   \xe2\x80\xa2   Security awareness training was not provided to contractors who are\n       responsible for maintaining the system.\n\nVulnerability Assessments of Einstein and Cybercop Portal\n\nOverall, NCSD has implemented adequate security controls over each of the\ntwo systems reviewed. To assess system security, we (1) interviewed\ninformation technology personnel responsible for Einstein and Cybercop\nPortal; (2) performed vulnerability scans at NCSD headquarters, contractor\n\n Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                            Page 20\n\x0c    sites, and the Einstein collection systems at one federal agency; (3) manually\n    reviewed selected routers, switches, and firewalls for Einstein system; and,\n    (4) performed vulnerability scans on selected servers and firewalls, and\n    password analysis for the Cybercop Portal. Our testing did not include an\n    assessment of the Cybercop Portal application software.\n\n    No high-risk vulnerabilities were detected on the Cybercop Portal devices\n    tested. We found only two medium-security vulnerabilities on the Einstein\n    system. When devices are not properly configured, the vulnerabilities could\n    be exploited to gain inappropriate access to sensitive information. Subsequent\n    to the completion of our audit work, NCSD personnel indicated that\n    appropriate actions have been taken to address the vulnerabilities. As\n    fieldwork had already been completed, we did not verify whether the\n    vulnerabilities had been addressed.\n\n    FISMA requires federal agencies to provide adequate controls for the data and\n    information systems under their controls by (1) periodically assessing the risk\n    and magnitude of the harm that could result from the unauthorized access, use,\n    disclosure, disruption, modification, or destruction; (2) performing annual\n    security testing to evaluate the effectiveness of security controls implemented;\n    (3) providing security awareness training to inform personnel, including\n    contractors and other users; and (4) planning and developing procedures to\n    ensure the continuity of operations for the systems and data that support the\n    operations and assets of the agency.\n\n    Contingency planning is designed to mitigate the risk of system and service\n    unavailability by focusing effective and efficient recovery solutions. Testing\n    of contingency plans is performed to validate specific aspects of the plan,\n    policies, procedures, systems, and facilities that will be used in the event of an\n    emergency. Testing the plan identifies planning gaps and is also a training\n    exercise to prepare recovery personnel for plan activation, which can improve\n    plan effectiveness and overall agency preparedness.\n\nRecommendations\n    We recommend that the Assistant Secretary for CS&C direct the NCSD\n    Director to develop and implement procedures for all systems to:\n\n    Recommendation #10: Ensure that certification and accreditation documents\n    contain complete and accurate information to reflect the security postures of\n    the system. In addition, security documents should be reviewed periodically\n    and revised if necessary to ensure that agency officials are provided with the\n    most accurate information to make credible, risk-based decisions on whether\n    to authorize a system to operate.\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                 Page 21\n\x0c     Recommendation #11: Test contingency plans, at least annually, to ensure\n     business and computer operations can be maintained or restored in the event\n     of an emergency, system failure, or disaster.\n\n     Recommendation #12: Perform security testing annually to evaluate the\n     effectiveness of controls implemented.\n\n     Recommendation #13: Provide security awareness training to all contractors.\n\n     Recommendation #14: Remedy all vulnerabilities identified for which risks\n     have not been assumed.\n\nManagement Comments and OIG Analysis\n     CS&C concurred with recommendation 10. NCSD has a dedicated full-time\n     Information Systems Security Officer to ensure that US-CERT systems,\n     including Einstein and Cybercop Portal, meet FISMA requirements and\n     continue to maintain the proper authority to operate. Based on feedback from\n     our review, US-CERT is in the process of updating documentation for the\n     2007 Einstein and Cybercop Portal re-accreditations.\n\n     We agree that the steps that CS&C plans to take satisfy this recommendation.\n\n     CS&C concurred with recommendation 11. US-CERT has successfully\n     implemented a backup system for Einstein. In March 2007, Einstein\xe2\x80\x99s\n     back-up system was successfully tested, with additional testing planned in\n     upcoming months. Additionally, US-CERT has requested resources to build\n     and maintain an alternate site location for the Einstein program. A Continuity\n     of Operations Plan has been developed and is operational for the Cybercop\n     Portal to include off-site backup capability.\n\n     We agree that the steps that CS&C has taken, and plans to take, begin to\n     satisfy this recommendation. However, CS&C did not specifically address\n     whether it has or will test the Cybercop Portal\xe2\x80\x99s off-site backup capability.\n     We maintain that contingency plans should be tested for all systems, at least\n     annually.\n\n     CS&C concurred with recommendation 12. US-CERT performs security\n     testing annually in compliance with DHS policy. US-CERT is currently\n     submitting documentation and conducting testing so that an additional\n     one-year authority to operate the Einstein system may be granted. For the\n     Cybercop Portal, annual security testing is performed in accordance with\n     standard certification and accreditation procedures. The administrator of the\n\n      Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                 Page 22\n\x0cCybercop Portal conducts additional security testing to evaluate the\neffectiveness of the controls implemented.\n\nWe agree that the steps that CS&C has taken, and plans to take, satisfy this\nrecommendation.\n\nCS&C concurred with recommendation 13. NCSD provides and complies\nwith all security awareness training required by DHS for all staff, including\ncontractors. CS&C conducted its latest security awareness training for all its\ncomponents on April 25, 2007.\n\nWe agree that the steps that CS&C has taken satisfy this recommendation.\n\nCS&C concurred with recommendation 14. NCSD and US-CERT have been\nproactive in addressing identified vulnerabilities within Einstein and have\nresolved the necessary items.\n\nWe agree that the steps that CS&C has taken begin to satisfy this\nrecommendation. However, while CS&C addressed the vulnerabilities we\nidentified during the audit, it did not specifically address whether it will\nremedy all vulnerabilities identified for which risks have not been assumed as\na result of future security testing.\n\n\n\n\n Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                            Page 23\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\nPurpose, Scope, and Methodology\n                   Our objective was to determine whether NCSD is working collaboratively\n                   with the public, private, and international entities to secure cyberspace and\n                   cyber assets and has effectively managed the implementation of The National\n                   Strategy to Secure Cyberspace. Specifically, we determined whether:\n                   (1) NCSD has adequately addressed the actions and recommendations in The\n                   National Strategy to Secure Cyberspace; (2) implementation plans are\n                   meeting NCSD\xe2\x80\x99s strategic goals and priorities; (3) US-CERT is adequately\n                   performing its mission; (4) partnerships and coordination with other\n                   government agencies and the private sector are effective in securing\n                   cyberspace and cyber assets; and, (5) operational systems are in compliance\n                   with Federal Information Security Management Act requirements.\n\n                   To accomplish our audit, we interviewed selected NCSD personnel and\n                   contractors at its headquarters and contractor facilities. We interviewed\n                   selected members of the Government Forum of Incident Response and\n                   Security Teams, IT-Information Sharing and Analysis Center, IT-Sector\n                   Coordinating Council, and the National Cyber Response Coordination Group\n                   to obtain their perspective on how well NCSD is managing its mission and\n                   working with its cyber partners. These groups were selected since the\n                   members work with NCSD on a regular basis. We asked for feedback about\n                   NCSD\xe2\x80\x99s priorities, communications and information sharing, frustrations, and\n                   positive aspects of NCSD.\n\n                   During the audit, we reviewed applicable security policies, procedures, and\n                   other appropriate documentation. In addition, we evaluated the quality of the\n                   certification process for two of its mission support systems (Einstein and\n                   Cybercop Portal) and determined whether the systems were accredited per\n                   OMB and DHS guidance. We further tested security controls over the two\n                   systems to ensure that effective controls have been implemented to protect the\n                   information stored and processed by the systems. We used network\n                   vulnerability assessment software (Tenable Network Security\xe2\x80\x99s Nessus\n                   Vulnerability Scanner, Internet Security Systems\xe2\x80\x99 Internet Scanner) to detect\n                   and analyze vulnerabilities on devices for the two systems at NCSD\n                   headquarters, one federal agency, and contractor sites. Upon completion of\n                   the assessments, we provided NCSD with the technical reports detailing\n                   vulnerabilities detected and remediation actions needed.\n\n                   We conducted our audit between October 2006 and January 2007 under the\n                   authority of the Inspector General Act of 1978, as amended, and according to\n                   generally accepted government auditing standards. Major OIG contributors to\n                   the audit are identified in Appendix E.\n\n\n                    Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                             Page 24\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                   The principal OIG points of contact for the audit are Frank W. Deffer,\n                   Assistant Inspector General, IT Audits at (202) 254-4100 and\n                   Edward G. Coleman, Director, Information Security Audit Division at\n                   (202) 254-5444.\n\n\n\n\n                    Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                               Page 25\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 26\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 27\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 28\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 29\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 30\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 31\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 32\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 33\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                   Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                            Page 34\n\x0cAppendix C\nNCSD Major Functions and Responsibilities\n\n\nNCSD Director\nThe NCSD Director is responsible for issues related to the operation of the NCSD, such as human resources,\npolicy, and budget, as well as participation in international initiatives. The director develops the overall\nstrategic direction and priorities for the division, in line with CS&C goals and objectives. The director is\nresponsible for managing US-CERT\xe2\x80\x94which is a partnership between NCSD and the public and private\nsectors to make cyber security a coordinated, national effort; increase public awareness of cyber threats and\nvulnerabilities; and improve computer security preparedness and response to cyber threats.\nUS-CERT Operations Branch\nNCSD\xe2\x80\x99s US-CERT Operations branch focuses on situational awareness, analytical cells, and federal\ncoordination. US-CERT is charged with protecting the nation\xe2\x80\x99s Internet infrastructure by coordinating\ndefense against and response to cyber attacks. US-CERT is responsible for analyzing and reducing cyber\nthreats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident\nresponse activities. A key component of US-CERT is the National Cyber Security Response System\n(Response System), which provides a nationwide, real-time collaborative information-sharing network to\nenable communication and collaboration among DHS and federal, state, local, and international government\nand law enforcement entities. Components of the Response System include the following:\n    \xe2\x80\xa2 The US-CERT Operations Center serves as a 24-hour-a-day/7-day-a week, real-time focal point for\n         cyber security, conducting daily conference calls with U.S.-based watch and warning centers to share\n         classified and unclassified security information.\n    \xe2\x80\xa2 The US-CERT Portal provides a Web-based collaborative system that allows US-CERT to share\n         sensitive cyber-related information with members of government and industry.\n    \xe2\x80\xa2 The US-CERT Control Systems Security Center serves as an operational and strategic component of\n         US-CERT\xe2\x80\x99s capability to address the complex security issues associated with the use of control\n         systems.\n    \xe2\x80\xa2 The US-CERT public web site provides government, the private sector, and the public with\n         information they need to improve their ability to protect their information systems and infrastructures.\n    \xe2\x80\xa2 The National Cyber Alert System is to deliver targeted, timely, and actionable information to\n         Americans to allow them to secure their computer systems.\n    \xe2\x80\xa2 The National Cyber Response Coordination Group brings together officials from federal agencies to\n         coordinate public/private cyber preparedness and incident response.\n    \xe2\x80\xa2 The Government Forum of Incident Response and Security Teams is a community of government\n         response teams that are responsible for securing government information technology systems. This\n         forum works to understand and handle computer security incidents and to encourage proactive and\n         preventative security practices.\n\nOutreach and Awareness Branch\nNCSD\xe2\x80\x99s Outreach and Awareness branch is responsible for outreach, awareness, and messaging. The branch\npromotes cyber security awareness among the general public and within key communities, maintains\nrelationships with governmental cyber security professionals to coordinate and share information about cyber\nsecurity initiatives, and develops partnerships to promote public/private coordination and collaboration on\ncyber security issues.\n\nThe branch is organized into three functional areas: Stakeholder Outreach, Communications and Messaging,\nand Coordination. The Stakeholder Outreach team serves to build and maintain relationships among and\nbetween industry, government, and academia in order to raise cyber security awareness and secure\ncyberspace. The Communications and Messaging team focuses on coordination of internal and external\ncommunications.\n\n\n                              Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                     Page 35\n\x0cAppendix C\nNCSD Major Functions and Responsibilities\n\n\nThe Coordination team works to ensure collaboration on events and activities across NCSD and with other\nDHS entities, including the public affairs, legislative affairs, and private-sector offices and others, as\nappropriate. The team works to foster the department\xe2\x80\x99s role as a focal point and coordinator for securing\ncyberspace and implementing The National Strategy to Secure Cyberspace. The International Affairs\nprogram engages in international outreach activities to build awareness about the global cyber risk, secure the\ncritical information infrastructure, establish information sharing relationships, communications mechanisms,\nand collaborative arrangements, and institute collaborative arrangements for addressing critical information\ninfrastructure protection issues.\nLaw Enforcement and Intelligence Branch\nThe Law Enforcement and Intelligence branch of NCSD has two primary responsibilities: managing the\nNational Cyber Response Coordination Group and facilitating the coordination of law enforcement and\nintelligence cyber-related efforts for NCSD. This branch serves as a liaison to the law enforcement and\nintelligence communities and provides a mechanism for information sharing among the components\nconcerned with cyber issues of law enforcement, intelligence, and the private sector. This information\nsharing includes all levels of information (classified, law enforcement sensitive, and unclassified).\nStrategic Initiatives Branch\nNCSD\xe2\x80\x99s Strategic Initiatives branch is organized into seven programs with different responsibilities, as\nfollows:\n    \xe2\x80\xa2 The Critical Infrastructure Protection Cyber Security program is responsible for developing a critical\n        infrastructure protection plan for the IT Sector, including the Internet, that will identify critical assets\n        and vulnerabilities, map interdependencies, and promote cyber awareness throughout other sector\n        specific plans.\n    \xe2\x80\xa2 The Control Systems Security program is responsible for facilitating control system incident\n        management and security awareness, establishing an assessment capability for vulnerability reduction\n        and incident response, creating a self-sustaining security culture within the control systems\n        community, focusing attention on the protection of legacy control systems, and making strategic\n        recommendations for the future of control systems and security products.\n    \xe2\x80\xa2 The Software Assurance program presents a framework for promoting and coordinating efforts to\n        improve the security, reliability, and safety of software.\n    \xe2\x80\xa2 The Training and Education program is responsible for promoting the development of an adequate\n        number of effective cyber security professionals, enhancing cyber security capabilities within the\n        federal workforce by identifying the skills and abilities necessary for specific job tasks, and working\n        with other organizations to develop content standards for training products and for certifications.\n    \xe2\x80\xa2 The Cyber Exercise program is charged with improving the nation\xe2\x80\x99s ability to respond to cyber\n        incidents by creating, sponsoring, and learning from international, national, regional, and interagency\n        exercises. The team is responsible for planning and coordinating cyber security exercises with\n        internal and external DHS stakeholders.\n    \xe2\x80\xa2 The Standards and Best Practices/Research and Development Requirements program works to\n        encourage technology innovation efforts. The team is responsible for identifying cyber security\n        research and development requirements and cyber security standards issues, and for assembling and\n        distributing information on best practices.\n    \xe2\x80\xa2 The Information Systems Security Line of Business program provides leadership and direction for\n        improving information systems security services across the federal government. The programs works\n        to achieve more consistent security management processes and controls across government through\n        the reuse of proven best practices, and by promoting savings through reduced duplication and\n        economies of scale for common hardware, software, and shared services.\n\n                               Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                      Page 36\n\x0cAppendix D\nFederal Agency Incident Categories\n\n\n\nCategory         Name                              Description                             Reporting Timeframe\nCAT 0 Exercise/Network           This category is used during state, federal,        Not Applicable; this category is\n      Defense Testing            national, international exercises and approved      for each agency's internal use\n                                 activity testing of internal/external network       during exercises.\n                                 defenses or responses.\nCAT 1 Unauthorized Access        In this category an individual gains logical or Within one (1) hour of\n                                 physical access without permission to a federal discovery/detection.\n                                 agency network, system, application, data, or\n                                 other resource\nCAT 2 Denial of Service          An attack that successfully prevents or impairs     Within two (2) hours of\n                                 the normal authorized functionality of              discovery/detection if the\n                                 networks, systems or applications by                successful attack is still ongoing\n                                 exhausting resources. This activity includes        and the agency is unable to\n                                 being the victim or participating in the Denial     successfully mitigate activity.\n                                 of Service.\nCAT 3 Malicious Code             Successful installation of malicious software       Daily\n                                 (e.g., virus, worm, Trojan horse, or other code-    Note: Within one (1) hour of\n                                 based malicious entity) that infects an operating   discovery/detection if widespread\n                                 system or application. Agencies are NOT             across agency.\n                                 required to report malicious logic that has been\n                                 successfully quarantined by antivirus software.\nCAT 4 Improper Usage             A person violates acceptable computing use          Weekly\n                                 policies.\nCAT 5 Scans/Probes/Attempted This category includes any activity that seeks to       Monthly\n      Access                 access or identify a federal agency computer,           Note: If system is classified,\n                             open ports, protocols, service, or any                  report within one (1) hour of\n                             combination for later exploit. This activity            discovery.\n                             does not directly result in a compromise or\n                             denial of service.\nCAT 6 Investigation              Unconfirmed incidents that are potentially    Not Applicable; this category is\n                                 malicious or anomalous activity deemed by the for each agency's use to categorize\n                                 reporting entity to warrant further review.   a potential incident that is\n                                                                               currently being investigated.\n\n\n\n\n                             Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                                     Page 37\n\x0cAppendix E\nMajor Contributors to this Report\n\n\n\n                    Information Security Audits Division\n\n                    Edward G. Coleman, Director\n                    Jeff Arman, Audit Manager\n                    Chiu-Tong Tsang, Audit Team Leader\n                    Jason Bakelar, Information Technology Specialist\n                    Charles Twitty, Auditor\n\n                    Tarsha Ross, Referencer\n\n                    Advanced Technology Division\n\n                    David Hawkins, Senior Security Engineer\n\n\n\n\n                        Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                             Page 38\n\x0cAppendix F\nReport Distribution\n\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Assistant Secretary for Policy\n                      Assistant Secretary for Public Affairs\n                      Assistant Secretary for Legislative and Intergovernmental Affairs\n                      Under Secretary for National Protection and Programs\n                      Assistant Secretary for Office of Cyber Security and Communications\n                      Chief Information Officer\n                      Deputy Chief Information Officer\n                      Chief Information Security Officer\n                      Director, Compliance and Oversight Program\n                      Director, National Cyber Security Division\n                      Director, DHS GAO/OIG Liaison Office\n                      Chief Information Officer Audit Liaison\n                      National Protection and Programs Audit Liaison\n                      National Protection and Programs Information Systems Security Manager\n                      Director, OIG Information Security Audit Division\n                      Chief Privacy Officer\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                          Challenges Remain in Securing the Nation\xe2\x80\x99s Cyber Infrastructure\n\n                                               Page 39\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c"